Fortigate - AirPrint across two subnet/region (using CLI)
The below steps have been tested on a FWF60c with 5.2.6 software.
This tutor is based on Fortinet's document. However, multicast setup is not available in web setup in my version. Therefore, I do it in CLI.
Assume my AirPrint printer is placed inside "lan". I would like to allow all devices in "GuestWifi" (includes iPhone, iPad, Android, Windows Notebook) to access it. The multicast policy below allow bi-direction Bonjour messages across two subnet, between iOS device and AirPrinter printer.
The below script should also work for AirPlay, but I haven't test it yet. Please comment and let me know if AirPlay works.
//adding addresses for wireless networks and printers
config firewall address
edit "LAN_Printer"
set associated-interface "lan"
set subnet 192.168.1.9 255.255.255.255
next
edit "GUEST_ALL"
set associated-interface "GuestWifi"
set subnet 192.168.3.0 255.255.255.0
next
edit "LAN_ALL"
set associated-interface "lan"
set subnet 192.168.1.0 255.255.255.0
next
end
// adding service objects for printing, this two service object is not used in my below Policy.
config firewall service custom
edit "IPP"
set category "Network Services"
set tcp-portrange 631
next
edit "PDL"
set category "Network Services"
set comment "PDL Data Stream"
set tcp-portrange 9100
next
end
// Multicast addresses - should already be there. I dump the setting here in case you have missed this in your setup.
config firewall multicast-address
edit "Bonjour"
set start-ip 224.0.0.251
set end-ip 224.0.0.251
next
end
// Adding multicast security policy - This is the critical part to re-direct the Bonjour broadcast to another subnet.
// This part can be done in CLI only, in my Fortigate
config firewall multicast-policy
edit 1
set srcintf "lan"
set dstintf "GuestWifi"
set srcaddr "LAN_ALL"
set dstaddr "Bonjour"
set protocol 17
set end-port 5353
next
edit 2
set srcintf "GuestWifi"
set dstintf "lan"
set srcaddr "GUEST_ALL"
set dstaddr "Bonjour"
set protocol 17
set end-port 5353
next
end
//Adding Inter-subnet policy
// I allow all protocol to pass, not just AirPrint. So that 9100 printing and scanner works on my Guest Windows PC as well (need manual input the IP).
// My Android printing also works, but the IP needs manual input.
config firewall policy
edit 101
set srcintf "GuestWifi"
set dstintf "lan"
set srcaddr "all"
set dstaddr "LAN_Printer"
set action accept
set schedule "always"
set service "ALL"
set logtraffic disable
next
edit 102
set srcintf "lan"
set dstintf "GuestWifi"
set srcaddr "LAN_Printer"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic disable
next
end
This tutor is based on Fortinet's document. However, multicast setup is not available in web setup in my version. Therefore, I do it in CLI.
Assume my AirPrint printer is placed inside "lan". I would like to allow all devices in "GuestWifi" (includes iPhone, iPad, Android, Windows Notebook) to access it. The multicast policy below allow bi-direction Bonjour messages across two subnet, between iOS device and AirPrinter printer.
The below script should also work for AirPlay, but I haven't test it yet. Please comment and let me know if AirPlay works.
//adding addresses for wireless networks and printers
config firewall address
edit "LAN_Printer"
set associated-interface "lan"
set subnet 192.168.1.9 255.255.255.255
next
edit "GUEST_ALL"
set associated-interface "GuestWifi"
set subnet 192.168.3.0 255.255.255.0
next
edit "LAN_ALL"
set associated-interface "lan"
set subnet 192.168.1.0 255.255.255.0
next
end
// adding service objects for printing, this two service object is not used in my below Policy.
config firewall service custom
edit "IPP"
set category "Network Services"
set tcp-portrange 631
next
edit "PDL"
set category "Network Services"
set comment "PDL Data Stream"
set tcp-portrange 9100
next
end
// Multicast addresses - should already be there. I dump the setting here in case you have missed this in your setup.
config firewall multicast-address
edit "Bonjour"
set start-ip 224.0.0.251
set end-ip 224.0.0.251
next
end
// Adding multicast security policy - This is the critical part to re-direct the Bonjour broadcast to another subnet.
// This part can be done in CLI only, in my Fortigate
config firewall multicast-policy
edit 1
set srcintf "lan"
set dstintf "GuestWifi"
set srcaddr "LAN_ALL"
set dstaddr "Bonjour"
set protocol 17
set end-port 5353
next
edit 2
set srcintf "GuestWifi"
set dstintf "lan"
set srcaddr "GUEST_ALL"
set dstaddr "Bonjour"
set protocol 17
set end-port 5353
next
end
//Adding Inter-subnet policy
// I allow all protocol to pass, not just AirPrint. So that 9100 printing and scanner works on my Guest Windows PC as well (need manual input the IP).
// My Android printing also works, but the IP needs manual input.
config firewall policy
edit 101
set srcintf "GuestWifi"
set dstintf "lan"
set srcaddr "all"
set dstaddr "LAN_Printer"
set action accept
set schedule "always"
set service "ALL"
set logtraffic disable
next
edit 102
set srcintf "lan"
set dstintf "GuestWifi"
set srcaddr "LAN_Printer"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic disable
next
end
Comments